For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems (“UAS”), including, but not only, through privacy-related legislation.
In the 2014 session, one bill (AB 2306) passed and was signed by Governor Brown. It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry. However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment (such as a UAS). The bill is codified at California Civil Code section 1708.8.
In the 2015 session, the California Legislature introduced five more bills, covering a range of issues. Continue Reading
The Third Circuit affirmed the ruling of the district court, finding that the Third Circuit found that the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act and that neither the plain meaning of “unfairness” nor congressional action in the area of cybersecurity negate such authority. The Third Circuit also found that, to satisfy due process, a company need not have had “fair notice” of the FTC’s interpretation of what specific cybersecurity standards are required to avoid liability under the unfairness prong of § 45(a), but only “fair notice” that cybersecurity practices can form the basis of an unfair practice under § 45(a)—notice the court found to exist here. Continue Reading
The Organisation for Economic Co-operation and Development (OECD) has published its 2015 Digital Economy Outlook (“Report”), a survey of changes and opportunities in, and challenges arising from, the digital economy. The Report identifies three broad trends for member countries and their partners to focus on in digitising their economies: Continue Reading
The United States Court of Appeals for the Third Circuit’s much anticipated ruling in FTC v. Wyndham has now been released. The court affirmed the FTC’s authority under section 5 of the FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. The court also affirmed the district court’s finding that the Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. With this decision, the case will now move forward to the merits phase at the district court. A more detailed analysis of this decision will be posted here shortly.
For our previous blog post on FTC v. Wyndham, click here.
On August 12, the National Institute of Standards and Technology (NIST) published a Request for Information (RFI) to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard (FIPS) 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012. Continue Reading
With the aim of keeping pace alongside European practice, on July 13th 2015, the Russian President signed into law a bill amending the Federal Law “On Information, information technologies and on protection of information” No. 149-FZ of 27 July 2006. This law (the “Law”) introduces in Russia the so-called “right to be forgotten” or “right to oblivion” and will take effect on January 1st 2016.
Under the Law, upon receiving a request from an individual, search engines must cease listing links to Internet pages with information on the individual where such information is:
- unlawfully disseminated;
- outdated; or
- irrelevant (i.e. it has lost its importance to the individual due to subsequent events or actions of the individual).
The UK’s Information Commissioner’s Office (ICO) is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance. Continue Reading
As we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory. The Ministry’s website also provides a mechanism to ask further questions online.
In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law. Continue Reading
Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court (“Court”) reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision. Continue Reading